5 min read

U2F, FIDO, and YubiKeys for the uninitiated

For the last two years I've been really focusing on my personal tech security and privacy. Part of this has included entering the deep dark world of GPG, PGP, YubiKeys, and all that fun stuff. I've been really enjoying learning about it all, but I've also found it incredibly intimidating. The world isn't short of articles telling you "if you accidentally do X, nothing matters anymore and nothing is secure". Needless to say, it's been a pretty steep learning curve.

I wanted to try and distil down some of my current understanding and progress into an article. Mostly this is selfish, as I want somewhere to refer to when I forget something, but I also think it might be useful for people who are at the start of this journey.

Traditional authentication

The standard way to authenticate with most services us using a username and password. This is the weakest form of authentication, but it is still the most pervasive. A slight improvement on this is using a "passphrase" rather than a "password", as this is usually much longer and formed of multiple words.

For the rest of this article, I'll refer to "passwords" which will encompas both passwords and passphrases.

The flaws of traditional authentication

You probably already know the flaws of username/password only authentication but here's a short list for those who may not.

  • Most people do not use strong passwords, the ones they choose are short and easy to crack, guess, or social engineer.
  • With only one form of authentication, we open ourselves up to a bigger impact of Phising. You are required to only make one mistake (handing over your password) for it to be game over. With multiple factors, we need to make many more mistakes for a bad actor to gain access.
  • Usually, the way to reset a password is via your email. As a result, if someone gains access to your email address they can get access to any of your accounts connected to it.

Multiple factor authentication

A username (or email, as it usually is these days) is a public piece of information, it's like your name, anyone can say your name or type it into something and so keeping it secret does not usually matter (although it may help a tiny bit). We don't usually consider a username to be a factor of authentication. Passwords on the other hand we do. When we use a password we say "hey I am {username_x}, here is my password as proof!". As a result, a username and password combo are usually seen as a single factor of authentication.

These days there is a lot of talk about Two Factor Authentication (2FA). This idea is about adding a second piece to the authentication step, another piece of information you must provide for your proof of identity. We usually say the strongest authentication system you could build would contain three factors, often: "something you know, something you have, and something you are". With 2FA we are often talking about using "something you know, and something you have". The password is the "something you know", and then it's up to us to incorporate the "something you have".

2FA Options

There are many options to incorporating second factor authenitcation, or the "something you have". At the moment, most organisations are trying to incorporate a code generator which give you a 6 digit code to type in as a secondary input after a password. These code generators are usually apps on your phone, or potentially a separate dongle. These use some sort of clock sync approach meaning the codes only display on your device for 60 seconds, and they are also only valid during those (usually) 60 seconds. Outside of that, the code you try and input will no longer be valid. If someone manages to steal a code from your device, they will need to use it very quickly.

U2F

Another option is a "Universal 2nd Factor" (U2F), this is an open standard for a physical device which plugs into your computer / phone using USB. This is something you carry around with your keys and it saves you typing in a code every time. You also can't give it to someone else without losing it, making it really clear that it's meant to be yours and yours alone!

YubiKey are a provider of U2F devices, they make small dongles which attach onto your keys and plug into a computer via USB (or use NFC for your phone). They've slick and easy to use, the website or application presents a challenge much like when asking for a password, however in this case you simply plug in your key and tap the metal contact on it.

How does this work behind the scenes? It's really just using the priciples of "public key cryptography". I won't go into too much detail here as it's a huge topic on it's own but here are the basics. Your U2F key has a public and private key, the private key is on the device and never leaves it. This key should never be shared, and there isn't a very easy way of getting it off the device for this reason. The public key is what you give to services that you want to connect your U2F device to. The two keys are mathematically linked and allow the following:

  • Anyone can use your public key to encrypt something, and only your private key can decrypt it. Not even the public key can reverse the process.
  • Your private key can digitally "sign" something, and anyone with your public key can verify it was signed by your private key. No one else can sign something in a way that the public key will verify it. This is like a bit like signing a document the old school way.

For U2F we leverage the signature bit, you give over your public key to the service you connect your U2F device to, they then send a challenge and say "hey, sign this please". Your U2F device signs that with the private key (without it ever leaving your device) and returns the result. The service then verifies that using your public key and lets you proceed.

What is FIDO?

The "Fast IDentity Online" Alliance is a group of organisations that look after the U2F standard and a few other similar standards like UFA. They're not another device, but they do certify device manufactorers producing U2F devices to ensure they can all work together under the same standard.

OpenPGP/GPG and Yubikey

I won't attempt to explain OpenPGP or GPG here, there are many guides out there and it's a bit of a complex one.

Many Yubikeys can function as a SmartCard for OpenPGP keys, this means they can store private keys and be used with tools like GPG. All of the encryption / signing happens on the Yubikey so the keys never leave the device which is a great added layer. You will need to find a device which specifically mentions it's support for a SmartCard / OpenPGP to have this functionality, most of the new ones seem to have it. This means you can use your Yubikey for signing git tags, docker containers, or encrypting your email using something like Thunderbird Email Client.

Glossary

  • Authenticate - The act of verifying that someone is who they say they are. This is like checking the person looks like the person that presents a passport. It does not allow them entry, it simply says "yes I believe you are the person you claim to be". This usually preceeds an authorisation step.
  • Authorise - The act of verifying an individual has the correct permission to do what they are trying to do. This is different to `authenticate` as you are trusting they are who they say they are (due to some proof like a token) and now checking to see if they can do the thing they're trying to do.